When China’s new Cybersecurity Law takes effect on June 1, 2017, China will become another important jurisdiction to watch in the international data transfer space.

Before the new Cybersecurity  Law officially was promulgated on November 7, 2016, cross-border data transfer of data from China was largely unregulated by the government.  While many Chinese laws and regulations governed the collection, use and storage (including localization) of data, no binding laws or regulations contained generally applicable legal requirements or constraints on the transfer of data across Chinese borders.

Article 37 of the new Law, for the first time, expressly requires that operators of Critical Information Infrastructure (CII) store within China “citizens’ personal information and important data” collected or generated in the course of operations within the country.  If transfers of data offshore are necessary for operational reasons, a security assessment must be conducted by designated agencies, unless otherwise regulated by laws and regulations.

Although there currently is a lack of specifics, the government  is likely to devise a data transfer mechanism that relies on CII operators’ commitments or binding contractual obligations to allow companies to transfer personal information of Chinese citizens to other countries.  It is possible that at least some elements of this mechanism will be comparable to the European Union’s (EU’s) Model Contracts and Binding Corporate Rules (BCR) or Asia-Pacific Economic Cooperation’s (APEC’s) Cross Border Privacy Rules (CBPR) system.  For “important data” relating to China’s national security, the assessment will have to be made on a case-by-case basis.

Companies that transfer Chinese citizens’ data into and out of China on a regular basis can consider taking steps to comply with the potential Chinese requirements, even though we still lack official guidance from the agencies.

Covington’s Yan Luo explains in a EuroBiz article the changes proposed by the new Law and discusses potential data transfer compliance strategies that companies may wish to consider to comply with the new Chinese data transfer requirements.  Read the full article here.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Yan Luo Yan Luo

With over 10 years of experience in global technology regulations, Yan Luo specializes in the intersection of law and technology, focusing on regulatory compliance and risk mitigation for technology-driven business models. Her key strengths include data protection, cybersecurity, and international trade, with a

With over 10 years of experience in global technology regulations, Yan Luo specializes in the intersection of law and technology, focusing on regulatory compliance and risk mitigation for technology-driven business models. Her key strengths include data protection, cybersecurity, and international trade, with a particular emphasis on adapting to regulatory changes and ensuring compliance to support technology sector business strategies.

In recent years, Yan has guided leading multinational companies in sectors such as cloud computing, consumer brands, and financial services through the rapidly evolving cybersecurity and data privacy regulations in major Asian jurisdictions, including China. She has addressed challenges such as compliance with data localization mandates and regulatory audits. Yan’s work includes advising on high-stakes compliance issues like data localization and cross-border data transfers, navigating cybersecurity inspections for multinational companies, and providing data protection insights for strategic transactions. Additionally, Yan has counseled leading Chinese technology companies on global data governance and compliance challenges across major jurisdictions, including the EU and the US, focusing on specific regulations like GDPR and CCPA.

More recently, Yan has supported leading technology companies on geopolitical risk assessments, particularly concerning how geopolitical shifts impact sectors at the cutting edge, such as artificial intelligence and semiconductor technologies.

Yan was named as Global Data Review’s40 under 40” in 2018 and is frequently quoted by leading media outlets including the Wall Street Journal and the Financial Times.

Prior to joining the firm, Yan completed an internship with the Office of International Affairs of the U.S. Federal Trade Commission in Washington, DC. Her experiences in Brussels include representing major Chinese companies in trade, competition and public procurement matters before the European Commission and national authorities in EU Member States.